A couple of months ago, Mike Danseglio, the Program Manager for the Security Solutions group at Microsoft blamed users for the Windows security nightmare, saying "there really is no patch for human stupidity."
Nice one, Mike.
Actually, Mike, there really is no patch for that kind of blame shifting. We make software and it's our job to make it work. Designing and building software is an extremely complex process but it is not magic and it is not only possible to make it safe, it's a requirement.
The makers of internet connected software, primarily browsers and email programs, have created sophisticated platforms for web developers and for those who would do the user harm. Microsoft, with its dominance in the browser and email markets, walked away from improving that platform in 2001 and gave the bad guys half a decade -- and remember, this is "Internet time", half a decade to build ever more sophisticated attacks against users.
This is not some mystery. Microsoft and Netscape built some very powerful technology . In just a few short years they brought hundreds of millions of people online. The security nightmare, though, didn't begin until the leading browser makers left those users to fend for themselves. While Netscape isn't completely free from blame (see Netscape 7 sans pop-up blocker) it is Microsoft that left the majority of users out in the cold for five years while the bad guys developed ever more sophisticated attacks using the tools Microsoft provided.
Here are a couple of examples from the last five or six years:
When it became obvious that pop-ups were not just a nuisance, but a major vector for spyware and adware, we added a pop-up blocker to Mozilla (back at the beginning of 2001). It took IE almost 4 more years to offer the feature in IE -- and then only to XP SP2 users which left hundreds of millions of other Windows users at the mercy of one of the major vectors for malware.
For years, Mozilla struggled with website compatibility issues because it did not support Microsoft's ActiveX technology, another major vector for security attacks on users. Not only would it have been a lot of work to reverse engineer and build Mozilla support for ActiveX, it would have opened Mozilla up to some of the worst threats on the Web. It would have been a bad idea. With the upcoming IE 7 (promised almost a year and a half ago) Microsoft says that "allowing ActiveX controls to run in IE should be the exception". Good idea. And only about 5 years late.
Like I said above, it's really pretty simple. Software makers can choose to side with the user and safety, or not. At Mozilla, we put the user first. Always. We spend our days working to improve the Web for users and to protect them from the bad guys. At Microsoft, at least some have decided it's better spend their time calling users stupid and blaming them for the problem.
You have a choice when it comes to the Internet software you use. But even more important, you have a choice in the companies and organizations that build that software.
Posted by: Kurt | June 27, 2006 8:20 AM
Another sign of Micro$oft's long, slow decline? Rome wasn't built in a day, but the Roman Empire didn't last forever either...
Posted by: Patrick Lee | June 27, 2006 9:16 AM
Well, in his defense, he's talking about social engineering at this point, not software vulnerabilities. All the security in the world won't help you if the bad guys can convince someone with the appropriate clearance and privileges to do something dumb.
The best you can do is put procedures in place to make it difficult to con people in the first place, and put obstacles in place so that the marks will have more time to think about what they're doing, and maybe realize that trying to help the supposed son of a deposed foreign dictator move "MILLIONS OF $US DOLLARS" out of the country isn't going to be a good idea.
Come to think of it, while there may not be a patch for human stupidity, there is a patch for human ignorance: education. Stupidity is a lot harder to deal with.
Posted by: Kelson | June 27, 2006 9:43 AM
So ActiveX eh? What's the difference in the security mechanism between ActiveX and Netscape Plug-in model used in Firefox. I believe that each is native code running with the permissions of the user account (but I could be wrong). Also, "lot of work to reverse engineer"? Doesn't the company publish how to support COM objects? I think I missed where the reverse engineering comes in. But it does make Microsoft look bad though.
Posted by: Tyrax | June 27, 2006 10:21 AM
I think blame is the wrong word to associate with what Mike said. I think your attack here on them is a bit unjustified on those grounds.
Also, putting users first can backfire - if in your rush to put them first you do dumb things yourself.
Who are you trying to convince here, Asa? Which audience is reading this blog?
Posted by: Alex Vincent | June 27, 2006 10:48 AM
One of the major reasons why Windows is such a piece of crap is the fact that it needs to run as admin for programs to work. There's not even a password to the admin account on a default install of Windows XP SP2. Add the ActiveX issue in Internet Explorer issue, the hiding file extensions by default issue (jpg.exe), etc., and you have a recipe for disaster.
"The Internet? We're not interested in it." - B. Gates
"We need to slaughter Novell before they get stronger." - J. Allchin
"Our products just aren't engineers for security." - B. Valentine
Many more here: http://www.msboycott.com/quotes/
Posted by: Chris | June 27, 2006 12:48 PM
There IS no patch for human stupidity and it's just a matter of time before some "bank" gives visitors the advise to turn of the Firefox anti-phishing warnings before entering their online banking application "as this is required to ensure proper functioning".
Prevention by means of software is limited if we want to maintain some basic functionality and although we might share the opinion that Microsoft should have tried harder, this opinion seems unrelated to this article.
Posted by: Bram! | June 27, 2006 2:34 PM
Asa said: When it became obvious that pop-ups were not just a nuisance, but a major vector for spyware and adware,
I don't follow the logic here. Why are popups particularly bad in this regard? If I have a method of installing spyware and adware, and you have a popup blocker, I just put the exploit code into the original page rather than a popup.
Popups are irritating, but they do not by themselves increase the security risk.
Tyrax said: So ActiveX eh? What's the difference in the security mechanism between ActiveX and Netscape Plug-in model used in Firefox.
A big difference. A plug-in has to be downloaded and installed like any other piece of software (word processor, game, whatever). ActiveX controls are downloaded and executed automatically by the browser - or, at least, they were during the period about which Asa has been talking.
I've had Microsoft engineers who should know better attempt to make this comparison in comments on my blog. I don't understand why people continue to attempt it; a moment's inspection of the two technologies shows that it's clearly invalid.
Gerv
Posted by: Gerv | June 27, 2006 3:21 PM
@Gerv
I'm not expert on the subject of old versions but
1. In the timeframe asa mentions 2001-2004 (I Believe), there was always a prompt before any controls were installed on the internet.
2. The plugin finder service to me seems to have the ability to download and execute code directly from the browser.
Mozilla may keep a pretty tight lid on what the service is capable of finding. But it does seem that the technologies are pretty comparable.
And it is still native code running with the permissions of the user in either case, so if a control were to contain a flaw which is scriptable. Its bad news new matter what browser you are on.
This is the main point that I was trying to get to.
Posted by: Tyrax | June 27, 2006 5:08 PM
So what is Firefox doing to keep me from giving all my money to a Nigerian scam letter that arrives in my Gmail account? I don't care how much you want to lambast Microsoft for their unfortunate foresight regarding IE, but the guy in the article you reference is talking about social engineering tactics being the hardest battle to win in security. You haven't solved that problem in Firefox.
Nothing makes us Firefox enthusiasts puff out our chests more than misquoting a months-old article in order to spend some time reminding ourselves that Firefox is better than IE. Seriously, I'm starting to prefer the posts on astronomy and cats to this drivel.
Posted by: Jason | June 27, 2006 7:09 PM
I wouldn't say Mozilla have a perfect track record either. The way Mozilla distributes updates til Firefox fit Windows well, but it doesn't fit Linux well. For a scary look at the problems, read http://lwn.net/Articles/186614/
It's sad that Mozilla don't seem to work well with the Linux community in this regard.
Posted by: Joergen Ramskov | June 28, 2006 12:35 AM
> Popups are irritating, but they do not by themselves increase the security risk.
In Windows creating new windows is resource intensive and if you've ever used windows while doing some cpu intensive tasks, you know that popups make the system very unstable and crashy (more than normal).
Posted by: Anonymous | June 28, 2006 12:40 AM
Sorry to be an idiot, but please Asa: "It's" means "it is." The possessive form of "it" is "its."
Posted by: Sigh | June 28, 2006 11:24 AM
@Sigh - you missed the 'chose' where "choose" should have been used : )
Posted by: Chris Neale | June 29, 2006 2:22 AM
Asa, the ActiveX control mechanism is well-documented. It's pretty much a web-version of OLE inplace activation. No reverse engineering is required to implement it. Next time, learn before speaking about a topic of which you are clueless.
@Tyrax:
As for ActiveX vs any other plug-in architecture that allows for native code plugins, ActiveX is more dangerous because it includes a means to allow automatic downloading of a component. That means has been disabled in IE6 SP2 (now, one must jump through hoops via the infobar (a concept that Firefox stole, BTW ;-)) before even an "auto-install" control will actually be installed; before the infobar of IE6 SP2, IE would display a Yes/No dlg for unsigned and optionally signed controls, but many users were tricked into clicking Yes by social engineering spoofs)). Other than that, ActiveX is no more dangerous than any other native code plugin mechanism.
Posted by: Molly C | June 29, 2006 1:39 PM
Asa is just a FF fanboy.......or a MS hater...way to take it out of context dick
Posted by: Ace | June 29, 2006 2:31 PM
So instead of using ActiveX Mozilla is using their very own concept of XPCOM, trusted XUL and pseudo protocols. What a great move. Remember the favicon code execution? Or the desktop background preview execution?
And on top of that you even encourage users to download and install unsigned extensions with hardly any serious QA or penetration testing. Oh, and of course you added your very own mechanism to allow a direct interaction with your download service addons.mozilla.org. Remember the download icon code execution?
Sure, you fixed those issues faster than others. Great you are moving so fast. But i can't hear this "we are safer without ActiveX" talking anymore. You twisted a lacking feature into a security bonus - and implemented your very own security bug nightmare with XPCOM.
Posted by: mikx | June 29, 2006 11:09 PM
LOL
How's this for irony?
Asa blasts Microsoft over ActiveX, while his blog's home page has ActiveX code **allowing for automatic downloading of an ActiveX control** (i.e. the QuickTime activex control). If ActiveX is so bad, why does your own blog contain ActiveX code? Could it be that you actually find the functionality convenient, in that if a user comes to this godforsaken place without a QuickTime plugin installed, the ActiveX functionality will download the QuickTime control *if approved by the user*, rather than simply displaying the "broken QuickTime" picture?
Oh, and here is the "offending" ActiveX code to which I refer (I actually got this from reading the comments to Ed Bott's zdnet article http://blogs.zdnet.com/Bott/?p=85).
[object codebase="http://www.apple.com/qtactivex/qtplugin.cab" width="480" classid="clsid:02BF25D5-8C17-4B23-BC80-D3488ABDDC6B" height="376"][param name="src" value="http://media.revver.com/broadcast/23975/video.mov" /][param name="controller" value="True" /][param name="cache" value="False" /][param name="autoplay" value="False" /][param name="kioskmode" value="False" /][param name="scale" value="tofit" /][embed src="http://media.revver.com/broadcast/23975/video.mov" pluginspage="http://www.apple.com/quicktime/download/" scale="tofit" kioskmode="False" qtsrc="http://media.revver.com/broadcast/23975/video.mov" cache="False" height="376" width="480" controller="True" type="video/quicktime" autoplay="False"][/embed][/object]
Posted by: Molly C | June 30, 2006 8:02 AM
Really, sycophancy and fanaticism for sacred Mozilla has reached ridiculous proportions; this sort of thing often brings forth some sort of backlash.
Posted by: srt | July 2, 2006 6:21 PM
@ Jason
Beautifully put.
@ Ace
I believe it is possible to be both an FF fan *and* an MS hater simultaneously, and there is no doubt Asa is an example.
@ Asa
A stupid person who clicks anything using IE is going to be a stupid person who clicks anything in FF.
Congratulations on sounding petty and childish, again.
Posted by: ben | July 6, 2006 7:40 AM
I guess microsoft really does think this.. they need to install spyware that connects to their servers, and alert users that they may be using an illegal copy.. yes!!! we are that stupid, microsoft.. go ahead and make your wga wgan mandotory , these are absolutely needed, their like making are machines safe from ourselves we need to connect to your servers every few seconds to make sure we havent got an illegal copy..
yes microsoft we as users ARE stupid.. stupid for using your crappy software.
Posted by: Screwed_Society | July 6, 2006 10:02 AM
Who, it seems that Bill ordered a mass reply.
Maybe Asa has mistaken the moment, but the things he's arguing are not so far from the true.
About pop-up: MS arrived late.
About ActiveXs: Ask one of the mass that migrated to FF, about their past and present fighting spywares and virus, even when they are using FF extensions. Ask them how much they'll need to get paid to return to IE.
About being a MS hater:
The must justifiable thing in this planet is to be a MS hater. What else can Microsoft expect to harvest ? The Empire destroy every thing that is in its bussiness area. Even the oldest and loyal partner. Thanks God MS minds are openning for a while.
About criticize the misspelled words:
Good work ! Certanly this orthographic gurus are the ones that Mikes refuses to find a patch for.
Best regards..
Posted by: José P. H. | July 10, 2006 1:02 PM
Something else about plugins: as opposed to activeX and FF extensions, plugins actually have a decent security model, and restrict access to the system.
ActiveX controls are globally available in the system and can do anything the user can do, extensions are just installed in FF but also can do anything in the system that the user can do, but plugins are just installed in FF and can only affect the browser (IIRC)
Posted by: David | July 19, 2006 8:08 AM
Wow, very nicely said Asa!